It seems there is an interesting analogy between the ptrace() bug published Rafal Wojtczuk and a (much less dangerous) problem with disk quotas published by Wojciech Purczynski. In both cases, a program running with elevated privileges inherits something (a traced process, a file descriptor), and in both cases, it exercises its privileges on that thing (in the first case, a traced process is allowed to execute a setuid/setgid program (*); in the second case, the file is allowed to grow past its owner's disk quota). Apparently, it is not a good idea to mix two styles of access checks: immediate checks using current process' credentials and checks based the possession of some sort of "capability" (i.e. a file descriptor) that has been acquired in the past (perhaps using different credentials). (*) Such a feature can be quite useful...assuming it is not implemented in a way that introduces a big security hole. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
